aboutsummaryrefslogtreecommitdiffstats
path: root/vnet
diff options
context:
space:
mode:
authorSergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>2016-12-12 10:37:49 +0000
committerDamjan Marion <dmarion.lists@gmail.com>2016-12-12 13:03:27 +0000
commit1b6f90204682fdd43d899ab454349536de785b86 (patch)
treee868069447bf42ff24badf5602701abf6a0e5499 /vnet
parent64bc612d4ce682fdd4a6e1c8a47b7538f200b24f (diff)
ipsec: go straight to lookup after esp encrypt
Currently, IPsec tunnel traffic goes to ip4-input/ip6-input after esp-encrypt. It is not necessary to check that the new IP header is valid (if it is not valid then we have otehr issues). Instead, just send packets straight to ip4-lookup/ip6-lookup after esp-encrypt. Change-Id: I5e35d500cb0f33f418f8554ed1f4390f02b6647d Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Diffstat (limited to 'vnet')
-rw-r--r--vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c8
-rw-r--r--vnet/vnet/ipsec/esp_encrypt.c8
2 files changed, 8 insertions, 8 deletions
diff --git a/vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c b/vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c
index 7e41007c92c..10bb4616eef 100644
--- a/vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c
+++ b/vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c
@@ -25,8 +25,8 @@
#define foreach_esp_encrypt_next \
_(DROP, "error-drop") \
-_(IP4_INPUT, "ip4-input") \
-_(IP6_INPUT, "ip6-input") \
+_(IP4_LOOKUP, "ip4-lookup") \
+_(IP6_LOOKUP, "ip6-lookup") \
_(INTERFACE_OUTPUT, "interface-output")
#define _(v, s) ESP_ENCRYPT_NEXT_##v,
@@ -287,7 +287,7 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm,
oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32;
/* in tunnel mode send it back to FIB */
- next0 = ESP_ENCRYPT_NEXT_IP4_INPUT;
+ next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP;
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
}
else if (sa0->is_tunnel && sa0->is_tunnel_ip6)
@@ -302,7 +302,7 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm,
sa0->tunnel_dst_addr.ip6.as_u64[1];
/* in tunnel mode send it back to FIB */
- next0 = ESP_ENCRYPT_NEXT_IP6_INPUT;
+ next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP;
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
}
else
diff --git a/vnet/vnet/ipsec/esp_encrypt.c b/vnet/vnet/ipsec/esp_encrypt.c
index b947611e867..7b7f9b9c4c7 100644
--- a/vnet/vnet/ipsec/esp_encrypt.c
+++ b/vnet/vnet/ipsec/esp_encrypt.c
@@ -25,8 +25,8 @@
#define foreach_esp_encrypt_next \
_(DROP, "error-drop") \
-_(IP4_INPUT, "ip4-input") \
-_(IP6_INPUT, "ip6-input") \
+_(IP4_LOOKUP, "ip4-lookup") \
+_(IP6_LOOKUP, "ip6-lookup") \
_(INTERFACE_OUTPUT, "interface-output")
#define _(v, s) ESP_ENCRYPT_NEXT_##v,
@@ -226,7 +226,7 @@ esp_encrypt_node_fn (vlib_main_t * vm,
oh6_0->esp.seq = clib_net_to_host_u32 (sa0->seq);
ip_proto = ih6_0->ip6.protocol;
- next0 = ESP_ENCRYPT_NEXT_IP6_INPUT;
+ next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP;
}
else
{
@@ -248,7 +248,7 @@ esp_encrypt_node_fn (vlib_main_t * vm,
oh0->esp.seq = clib_net_to_host_u32 (sa0->seq);
ip_proto = ih0->ip4.protocol;
- next0 = ESP_ENCRYPT_NEXT_IP4_INPUT;
+ next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP;
}
if (PREDICT_TRUE